Remove Return-Path from header sign about go-msgauth HOT 7 CLOSED

https://github.com/emersion/go-msgauth/search?q=Return-Path

Not sure where your issue comes from, but it's not from go-msgauth. I'd suggest opening a downstream issue.

from go-msgauth.

Yes, it is not, but the return path is part of an email header, it should be ignored and not signed by dkim.Sign.

Now the signature looks like this:
DKIM-Signature: a=rsa-sha256; bh=[* * ];
c=relaxed/relaxed; d=domain.com;
h=Content-Type:X-Complaints-To:Campaign-Id:List-Unsubscribe:Signedby:Return-Path:Sender:Precedence:Message-Id:Feedback-Id:Subject:Message-Id:To:From:Date:Mime-Version;
s=default; t=1641899925; v=1;
b=[ * * *]

from go-msgauth.

The library users tells go-msgauth which fields should be signed. They are responsible for not signing fields which shouldn't be.

from go-msgauth.

I apologize, I was wrong thinking that the library follows the protocol rules 😄

from go-msgauth.

The RFC indicates this requirement as a "SHOULD". Hence, the library won't forbid library users from doing the wrong thing here.

If it was a "MUST", I';d be fine with returning an error if the caller does the wrong thing. That's not the case here.

from go-msgauth.

Yes, but SpamAssassin sees the signature as invalid if it contains Return-Path

from go-msgauth.

SpamAssassin Score: -4.8
Message is NOT marked as spam
Points breakdown:
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
high trust
[91.247.179.194 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid

from go-msgauth.